Flaw Found in Apple Bug-Fix Tool
eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."
So, this is the best MOAB has to offer? A security bug in a third-party "enhancement"?
This is scaremongering at its best. Nothing to see here, move along.
The Secret of Life: Proteins fold up and bind things.
People who use APE dependent apps are already familiar with the bugs that come along with that choice. They shouldn't be surprised or alarmed by this. APE is already one of the first things I check for on an OS X machine that is acting flakey. //just say no to 'haxies' ///they should call them 'crappies'
I'm surprised APE doesn't spontaneously mutate into a backdoor shell on port 6666 SIMPLY THROUGH A COINCIDENCE OF CODING ERRORS.
Seriously, if you're using APE, get it off your Mac NOW.
If LMH was an ethical security researcher, he'd be disclosing the bugs to Apple a couple weeks in advance to give them time to release patches.
If Apple was an ethical company, they would find and close security holes a couple weeks BEFORE SHIPPING THE DAMN SOFTWARE.
AFAIK, Apple's got a decent record of responding to security bug tips. They even give credit in the release notes for their patches.
Gosh, thanks Apple! That's a nice payment for having someone do your work for you!
If Apple wants somebody to "responsibly disclose" their own programming errors, that person better be on Apple's fucking payroll.
responsible disclosure == unpaid work for vendors == no incentive to find bugs before shipping
Though you're right, this whole thing is bullshit dick-measuring.
MOAB guy: Post the bugs + exploits on a plain white page with no further commentary dude. We'll have a lot more respect for you.
again. Ther3 4re